Iran Downplays Significance of Narilam Malware

Malicious software called DNSChanger may nix access to websites, email, and other popular Internet services in infected machines on Monday.

Following last week's discovery of the Narilam malware by security company Symantec, Iran's official computer security group has downplayed its significance, saying it should not be compared to Stuxnet or Flame.

Last week Symantec warned businesses to watch out for a new Iran-focused malware called Narilam which can sabotage corporate databases by changing or deleting the values contained within them.

However, Iran's Computer Emergency Response Team (CERT) issued a statement over the weekend which downplayed the significance of the Narilam worm, saying it has been detected over two years ago:

"The malware called 'narilam' by Symantec was an old malware, previously detected and reported online in 2010 by some other names. This malware has no sign of a major threat, nor [is it] a sophisticated piece of computer malware.

"The sample is not widespread and is only able to corrupt the database of some of the products by an Iranian software company - those products are accounting software for small businesses. The simple nature of the malware looks more like a try to harm the software company's reputation among its customers."

CERT (also known as MAHER) made reference to the fact that many media organisations, as well as Symantec itself, had compared Narilam to more well-known pieces of malware such as Stuxnet, DuQu and Flame, which also targeted Iran.

Limited

CERT believes it is incorrect to compare the Narilam virus to these other pieces of malware, as it is a much more simple and limited piece of malware.

For example, the virus does not have the capability to steal any information from infected PCs, but is instead only able to change the value within databases.

The worm targets Microsoft SQL databases and searches for specific terms related to accounting and banking, replacing these with random values or deleting them completely.

"Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations. Our in-field telemetry indicates that the vast majority of users impacted by this threat are corporate users," Symantec researcher Shunichi Imano said in a blog post last week.

The vast majority of infections are in Iran, though Symantec has also recorded infections in the UK and US.

CERT claims: "This is not a threat for general users" and that no special care need be taken. It adds that corporate customers should make a backup of their databases and use updated anti-virus software to scan their systems.

However, Inamo believes this might be too little, too late for some companies:

"Unless appropriate backups are in place, the affected database will be difficult to restore. The affected organisation will likely suffer significant disruption and even financial loss while restoring the database."